diff options
-rw-r--r-- | nonprism/iceweasel-hardened-preferences/PKGBUILD | 14 | ||||
-rw-r--r-- | nonprism/iceweasel-hardened-preferences/iceweasel-branding.js | 43 |
2 files changed, 47 insertions, 10 deletions
diff --git a/nonprism/iceweasel-hardened-preferences/PKGBUILD b/nonprism/iceweasel-hardened-preferences/PKGBUILD index 97296d4db..30f4e1da1 100644 --- a/nonprism/iceweasel-hardened-preferences/PKGBUILD +++ b/nonprism/iceweasel-hardened-preferences/PKGBUILD @@ -2,7 +2,7 @@ # Contributor: André Silva <emulatorman@parabola.nu> pkgname=iceweasel-hardened-preferences -pkgver=0.3 +pkgver=0.4 pkgrel=1 pkgdesc="Hardened preferences script which runs Iceweasel to protect from a variety of privacy, security, and fingerprinting attacks." arch=(any) @@ -19,13 +19,13 @@ source=('firefox-branding.js' 'iceweasel-branding.js' 'iceweasel-hardened.install') sha512sums=('cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e' -'d542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800' -'b5e36db1b8934358c5477b32c7d4c5e990bdf22066cc2382f6a9b9992b21704518a60a5e1710cf3722290a9a1d7af87d0930d5ceab2624503a7545cebd8a6085' -'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6') + 'd542452fa1d619d22e9c9b6e4af58d7310abdc5c81d871a1abbddb0087c53913c8a244af2b7be416a2c439383afc2480c439078ebde0ccac518300d9027b4800' + '1f78311f279ed4bac4b7b411ab116fa0eded389b64bdb689249f79445195ff4af41c00586c90d361bee07341db435e7707c360f0e9681a7ac04b50b70f4fb748' + 'e9baa13d50195ff5be507093c45c00bb06a77c9e633ac183ec2fd74eebb11bfc07bde334fe4455b763e8700cde146ae223578ebd8d13066739220502b6eebff6') whirlpoolsums=('19fa61d75522a4669b44e39c1d2e1726c530232130d407f89afee0964997f7a73e83be698b288febcf88e3e03c4f0757ea8964e59b63d93708b138cc42a66eb3' -'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2' -'fb08d3dc1c264714c8f20389fb0201b7e9917e0499890821baa3cc38c3b698bc83f63bb8d6522362032e86366dd92fd89e66f8742777892b8d4de150bc8158dc' -'44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9') + 'f7cb38e58f644ddeae9f931c290ae1d96e54d0a8937171f2ebad498b65b87f2115cbd0a0f2a55e12dceba7a387e70fd2432678010a87975f8322c9c27b41efd2' + '55cffabc1a093a9179213d4f47d618c20f6b03dc33d4d199663d79dc7610e0103ecc19f7e25fdbbcb228048fcd64b0677930e2bbe3243fe223ba3c919e9ae6fc' + '44b57bbbf8f00ffee11afc84f5ea3daedc39e59da3ee91e337c1eaad24c014caf5680eb250e25a3e046db9caaf6829c3b667693de9f040d8864be34b96300bb9') package() { install -Dm644 iceweasel-branding.js "$pkgdir"/usr/lib/iceweasel/browser/defaults/preferences/iceweasel-branding.js diff --git a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js index a8cbabf0c..6d903d7dd 100644 --- a/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js +++ b/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js @@ -17,8 +17,14 @@ pref("layers.acceleration.disabled", true); pref("gfx.downloadable_fonts.fallback_delay", -1); pref("intl.charset.default", "windows-1252"); pref("intl.locale.matchOS", false); +// Set locale to en-US (if you are using localized version of FF) +pref("intl.accept_languages", "en-US, en"); pref("javascript.use_us_english_locale", true); pref("noscript.forbidFonts", true); +// Favicons cause fingerprinting by downloading your entire bookmarks toolbar on start-up. +pref("browser.chrome.favicons", false); +pref("browser.chrome.site_icons", false); +pref("browser.shell.shortcutFavicons", false); /****************************************************************************** * HTML5 / APIs / DOM * @@ -38,6 +44,10 @@ pref("dom.mozTCPSocket.enabled", false); // Disable DOM Shared Workers // See https://bugs.torproject.org/15562 pref("dom.workers.sharedWorkers.enabled", false); +// https://developer.mozilla.org/en-US/docs/Web/API/Worker +// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API +// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers +pref("dom.serviceWorkers.enabled", false); // Disable WebSockets // https://www.infoq.com/news/2012/03/websockets-security @@ -134,6 +144,7 @@ pref("media.ondevicechange.fakeDeviceChangeEvent.enabled", false); // https://wiki.mozilla.org/Media/WebRTC/Privacy pref("media.peerconnection.ice.default_address_only", true); // Firefox < 51 pref("media.peerconnection.ice.no_host", true); // Firefox >= 51 +pref("media.peerconnection.ice.relay_only", true); // Disable WebRTC entirely pref("media.peerconnection.enabled", false); @@ -232,6 +243,8 @@ pref("webgl.disable-extensions", false); pref("webgl.min_capability_mode", true); pref("webgl.disable-wgl", true); pref("webgl.enable-webgl2", false); +// https://trac.torproject.org/projects/tor/ticket/18603 +pref("webgl.disable-fail-if-major-performance-caveat", true); // somewhat related... pref("pdfjs.enableWebGL", false); @@ -724,11 +737,14 @@ pref("services.sync.log.appender.file.logOnError", false); // https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Is_there_a_preference_to_disable_link_prefetching.3F pref("network.prefetch-next", false); -// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine +// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine+ +// GeoIP-based search +// https://trac.torproject.org/projects/tor/ticket/16254 +pref("browser.search.countryCode", "US"); +pref("browser.search.region", "US"); pref("browser.search.geoip.url", ""); pref("browser.search.geoSpecificDefaults.url", "about:blank"); pref("browser.search.geoSpecificDefaults", false); -pref("browser.search.geoip.url", "about:blank"); // http://kb.mozillazine.org/Network.dns.disablePrefetch // https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching @@ -955,6 +971,11 @@ pref("browser.pagethumbnails.capturing_disabled", true); // Webpages will not be able to affect the right-click menu //pref("dom.event.contextmenu.enabled", false); +// Disable Recently Bookmarked Folder +// https://bugzilla.mozilla.org/show_bug.cgi?id=1248268 +// https://hg.mozilla.org/releases/mozilla-release/rev/f98e3add979e +//pref("browser.bookmarks.showRecentlyBookmarked", false); + // Don't promote sync pref("browser.syncPromoViewsLeftMap", "{\"addons\":0,\"bookmarks\":0,\"passwords\":0}"); @@ -1010,6 +1031,8 @@ pref("browser.shell.checkDefaultBrowser", false); // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage pref("security.ask_for_password", 0); +// When security.ask_for_password is 2 (every n minutes), lock password storage every 5 minutes (default is 30) + pref("security.password_lifetime", 5); // https://bugzilla.mozilla.org/show_bug.cgi?id=1166947 pref("signon.formlessCapture.enabled", false); @@ -1020,6 +1043,12 @@ pref("browser.link.open_newwindow.restriction", 0); // https://bugzilla.mozilla.org/show_bug.cgi?id=1217162 pref("security.insecure_field_warning.contextual.enabled", true); +// Enable insecure password warnings (login forms in non-HTTPS pages) +// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/ +// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119 +// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156 +pref("security.insecure_password.ui.enabled", true); + /****************************************************************************** * TLS / HTTPS / OCSP related stuff * * * @@ -1036,6 +1065,10 @@ pref("network.stricttransportsecurity.preloadlist", false); pref("security.mixed_content.send_hsts_priming", false); pref("security.mixed_content.use_hsts", false); +// OWASP ASVS V9.1 +// https://bugzilla.mozilla.org/show_bug.cgi?id=956906 +pref("signon.storeWhenAutocompleteOff", false); + // CIS Version 1.2.0 October 21st, 2011 2.2.4 Enable Online Certificate Status Protocol // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns pref("security.OCSP.enabled", 0); @@ -1063,7 +1096,10 @@ pref("security.enable_tls_session_tickets", false); // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.) // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol. pref("security.tls.version.min", 1); -pref("security.tls.version.max", 3); +pref("security.tls.version.max", 4); + +// TLS version fallback +pref("security.tls.version.fallback-limit", 3); // pinning // https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning @@ -1075,6 +1111,7 @@ pref("security.cert_pinning.enforcement_level", 2); // https://hg.mozilla.org/releases/mozilla-release/rev/43c724bde81c#l3.34 // http://www.scmagazine.com/mozilla-pulls-back-on-rejecting-sha-1-certs-outright/article/463913/ // 0 = allow SHA-1; 1 = forbid SHA-1; 2 = allow SHA-1 only if notBefore < 2016-01-01 +// https://shattered.io/ pref("security.pki.sha1_enforcement_level", 1); // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken |